We’ve all been searching for things to do, things to say, ways to deal. Today, I spent a chunk of my day building a couple of simple bash scripts to remove the Master branch from my git repositories and replace them with Release branches instead. They’re not complicated or feature-complete and I offer no guarantees, but they’re here and here if you want them.

Now the first question has to be… why. I mean they don’t work on GitHub – you have to use a different technique for that. (One I haven’t fully implemented.) So they only work on my private server repositories. I’m literally the only person who will use them. Yet I felt compelled to do it.

Why?

Because it’s not enough to say “I’m not racist”. It’s not enough to say “I wish things were better”. The only way we get through this with our souls intact is to say “I am anti-racist”. To actively work on the big and the small things, the ones that are critically, obviously important and also the little tiny things that seem like they don’t matter.

Like eliminating the words “Master” and “Slave” from tech.

I remember the first time I heard about it being a problem. It was in a conversation about Master/Slave relationships in IDE hard drive assignments. (Get off my lawn and cut that hair, you punk kids.) Someone told me I needed to use Primary/Secondary instead, and I just kind of… didn’t get it.

We weren’t talking about people. These were just hard drives. And it was a reasonable description of the relationship and no one around us was even black and… oh. Oh, yeah.

Things aren’t racist based on the audience. If it’s racist, it’s racist. And of course I don’t mean anything by the term, but the fact of the matter is it doesn’t matter if I do or not. The words carry meaning, and words matter. How we use them, how we say them, and even how we completely ignore how we use them and say them.

Of course, writing these scripts and changing my work in this small way still doesn’t make a big difference in the world. But it’s still valuable and useful, and I strongly encourage you to do the same.

Think of it like a couch-to-5K training exercise. Today, eliminate the word Master from some git repositories. Tomorrow, we’ll do something a little bigger. And each day, do a little more to make things just a little big bigger.

COVID-19 has changed the way we interact with each other. It has also changed how we work, with many people now working from home on a full-time basis. Just a month ago, a large fully remote workforce was unimaginable. Now it’s a reality, and it’s working.

]]>672The Business Owner Privacy Checklist for 2019https://rearviewmirror.org/2019/08/the-business-owner-privacy-checklist-for-2019/
Mon, 05 Aug 2019 19:14:53 +0000https://smoothsailingsolutions.com/?p=614Privacy regulation in the United States has historically not been something business owners spent a lot of time worrying about – it’s been limited to specific industries or situations. But as this graphic demonstrates, that’s all changing.
Source: IAPP, US State Comprehensive Privacy Law Comparison

Most business owners have heard of the California Consumer Privacy Act, or at least recognize it when they hear the title – but how about Maine’s LD 946? All three of the currently enacted laws affect the privacy landscape for US businesses, and most of the other legislative efforts on the map are expected to pass in the next year or two.

Don’t forget that these laws apply to the information about people living in these jurisdictions, no matter where the business holding the information is located. The lack of a California location doesn’t shield you from the compliance requirements of the California law. It isn’t enough to watch for the passage of a new privacy law only in the states where you operate, all of these laws potentially apply.

On the one hand, this proliferation of new privacy rules and regulations creates the potential for things to get messy and complicated, particularly for smaller businesses. Until and unless new federal legislation comes in to replace the state laws, businesses will need to pay attention to any new privacy legislation at the state level, at least in order to determine whether or not it applies.

On the other hand, regulations aren’t happening in a vacuum. Much as the global standard in privacy regulation is the European Union’s GDPR, US states are mostly following California’s lead in their privacy regulations. Using IAPP’s analysis of common elements as a guide, it’s possible to come up with a straightforward list of projects for businesses in the second half of 2019.

Inventory of Personal Information

The most common requirement in privacy legislation is to give individuals information about personal data collection. It’s impossible to comply without a clear inventory of the data you collect, the purposes it gets used for, and how it’s protected. This isn’t as easy as you might think; personal information is a broad category that includes elements like IP addresses recorded in web server logs and email addresses entered into web forms. Building out a usable inventory, even for a fairly small business, is a complex job and requires time and attention across the organization.

Thorough Data Management Processes

Consumers not only have the right to know about the information you collect, they’re often given the right to modify that information. Modification rights range from the ability to demand the correction of information to the right of deletion to restrictions on how the information may be sold or processed.

Regardless of the particular rights and privileges that apply to the information you collect, the solution is the same – you have to have clear, usable processes for managing that information. How are changes made? Who’s responsible for ensuring that requests are completed in a timely fashion? If someone makes a complaint, what records will you have to answer any investigation?

Chances are, the information you have is mostly managed in reasonable ways. But it has to be consistent, and it has to be verifiable for regulatory compliance, and those both require solid and efficient processes.

Comprehensive Privacy Notices and Customer Communication

Websites and companies have fine-print Privacy Policies – though it’s rare to find someone who’s actually read one. Regulators have taken notice of this and are frequently requiring clearer customer communication.

That doesn’t necessarily mean your existing privacy policy isn’t acceptable – it most likely just needs to be reformatted or reworded to comply. Requirements may also extend to requiring clear, plain-language descriptions rather than the formal legal language of most such policies. With the emphasis of modern privacy regulation on individual rights, companies can expect to spend a lot more time talking to their customers about privacy in any event; having the tools and documentation in place to make that communication easier to understand will benefit your employees as much as your customers.

While you’re thinking about the compliance issues, take a moment to consider how this could benefit you as well. Here you have an opportunity to not only comply with regulations but also engage your customers in a conversation. Demonstrating that you take their personal information concerns seriously and being open about your practices can be an excellent business development tool.

Complete a Formal Risk Assessment

You’re probably used to risk assessments being a required security compliance element. Well, privacy regulations typically require them too. The details of the requirement are a little unclear – there’s very little in the regulations about scope and required elements – but in order to get real value out of the assessment, it’s worth rethinking your existing process from a privacy perspective. Make sure your assessment includes all systems involved in the storage of personal information.

If you’ve never included privacy concerns in your risk assessments before, it’s a good idea to schedule an extra privacy-focused assessment just to get a good snapshot of the current situation and be able to dedicate remediation resources. Without that extra effort, you may find your annual assessment project team overwhelmed by the changes brought on by the increase in scope.

Think About Your Project Timeline

These tasks take different amounts of time and energy depending on the size and complexity of the organization. At a minimum, with dedicated and knowledgeable resources and staff, the initial effort to create a personal data inventory takes four to six weeks. Risk assessments are similar, longer if you don’t already have a regular assessment process. Process development and adoption, on the other hand, are long-term efforts rather than discrete projects – you should expect the timeframe to be measured in quarters. These efforts are also difficult to do simultaneously without dramatically increasing the resources required – particularly since the results of the inventory impact the requirements of the others.

Be warned, the California Consumer Protection Act driving many of these requirements takes full effect on January 1, 2020. Enforcement actions won’t begin for another six months, but will be affected by the actions taken in the meantime. Although narrower in scope, Nevada’s new privacy requirements allowing users to opt out of the sale of personal information takes effect on October 1.

For all the necessary pieces of the puzzle to be in place ahead of these deadlines, you should be getting these projects scoped and scheduled now.

Thanks to the proliferation of inexpensive high-quality tools for video production, social media has an endless supply of people making videos about their passions. As you might expect, the quality varies, but with a little patience you can find an excellent example of content relating to anything that might interest you. Such as teapots.

Ronald Pothier takes us through the full process of hand-throwing teapots.

Now, as a potter myself, this is a great demonstration, although he almost makes it look a little too easy – trust me, it takes a lot of practice and experience to achieve an ugly teapot, much less the art demonstrated here.

Okay, so, why am I sharing this? Have I lost the plot? Is this the wrong site? Is it just because it’s Friday? What’s my point?

In information security (or privacy, or policy development, or…) we usually look inward. What are others in our field doing? What’s the latest breach news? The newest vulnerability? The hottest controversy? Right now, everyone in the field is focused on Summer Camp – either traveling to Las Vegas for DEF CON, BlackHat, and B-SidesLV, talking about why they aren’t there, or at minimum organizing plans around the way those events will dominate things for the next week.

And that’s not so great. Our roles involve so many different skillsets and techniques, many of them involving educating, communicating with, or reporting to people who are not in our field and have no intention of ever being in it. So at least some of our time should be spent looking outward. By constantly looking in, we limit our perspective, which only makes it harder to see the ways we could improve our connection with other people.

So back to teapots for a minute. It doesn’t really matter what it is, or the form it takes, but this kind of content can dramatically improve your security program. How do potters reach their audiences? Where does it differ from your approach? What could you learn from that and apply to your own user communications?

Take some time every so often to look outward. Get a different point of view, and let it change the way you see the world you work in. You’ll benefit, your program will benefit, and who knows – maybe you’ll find a whole new passion of your own to explore.

This time, it’s over 100 Million customers of Capital One who’ve had their data stolen. As usual, the fact that there’s a data breach isn’t surprising or newsworthy, although the scale of this one is above average. But looking closely at the details of the incident can tell us a lot about the state of things for the company that suffered the breach – and potentially offer important lessons for the rest of us.

The Incident

Details about the incident are somewhat confused, with different sources giving different details around the causes and timelines of the incident. I’m going to list some basic details here, all confirmed from multiple news sources and court filings, but some details are likely incorrect.

Earlier in the year, an attacker exploited a misconfiguration in a web application firewall. This vulnerability granted them access to documents related to over 100 million individual accounts, including legal names and identifying information, some limited number of US Social Security and Canadian social insurance numbers, and bank account information. Some of this information was protected by encryption, but the nature of the attacker’s access bypassed much of the protection.

On July 17, someone notified Capital One of the vulnerability through a public and easily-found disclosure program. By July 19, Capital One had confirmed and patched the vulnerability.

On July 29, as the attacker was facing charges in a Seattle courtroom, Capital One publicly announced the breach and began formal notification to those affected.

The Good Points

First, let’s talk about all the things Capital One did right.

Capital One has an apparently well-organized and functioning vulnerability management program. Not only is there an easily-identified disclosure system in place, but the report they received was processed, acted upon, and the solution implemented in production in less than 48 hours.

Many organizations would struggle to implement routine patches in 48 hours, much less a previously undisclosed system vulnerability reported by a third party.

Rather than working to minimize the negative publicity, they disclosed the issue publicly and openly, delaying less than two weeks and making their announcement at the same time as charges were filed against the attacker.

We don’t know the details of the attack, but it appears the end result was the attacker gaining access to IAM Role credentials in an instance on Amazon’s AWS.

Now, what’s good about that is, this is a relatively uncommon compromise method for AWS hosted services, which indicates that the more common issues – S3 storage credentials, uncontrolled developer instances, poor overall access controls – were probably not present in this case. Securing everything is very close to impossible; by looking at how hard an attacker had to work to gain access, we can tell a lot about the maturity of a defending organization’s security infrastructure. In this case, that’s really quite good.

The Bad Points

There are some obvious issues here, too. I’m going to stress that on the whole, I think Capital One has done a fine job; but there’s always room for improvement, and some of those areas are quite clear even from outside the organization.

The attack involved accessing and downloading large amounts of personal information from production systems. Without knowing more detail we can’t say precisely how the data was exfiltrated, but we do know that it was – the data was hosted on the attacker’s systems for quite a while. Which means there was no monitoring or alerting to unusual system activity that would cover someone downloading huge amounts of customer data to a non-Capital One system, and there should be.

Similarly, while the access controls on Capital One’s production systems appear to be better than the average, they should still be improved. No system should be able to download data from Capital One backend systems unless they’re whitelisted – not just “only systems in the Capital One network”, but “only these specific IPs can access this data”. That requires careful architecture planning and design review, but frankly, this is a large bank with a huge amount of sensitive information – that shouldn’t be out of reach.

The announcement itself was terrible. I had issues with it when I first read it, but after having time to reflect and reconsider, I’ve downgraded my opinion on it. This type of announcement has three jobs; inform the media and the customers to the situation, clearly communicate impact and responsibilities, and calm fears and uncertainties. I don’t think it managed any of those completely, and it totally failed on the fear and uncertainty count (admittedly, the toughest job of the three.)

The Lessons

There are plenty of lessons here for organizations, even those who aren’t large banks.

First, even in a mature security environment, details matter. The purpose of security controls is to make it harder for malicious actors to get at sensitive information, but often times it’s like trying to protect a house with a hundred ground floor doors and windows. If you’re not sure all of them are locked and bolted, there’s not a lot of point in working to secure the upper floors.

Second, the actual vulnerabilities were of a nature that can’t be solved through code and system engineering. Misconfigured production systems that work, but don’t provide adequate protection, will only be spotted through careful design review, configuration testing, and change management. Spend time and energy on building out processes, especially in complex environments, and think about how to make them more effective.

Finally, the communications strategy as a whole for Capital One is good. Excellent timing, they get a lot of points for moving as fast and accurately as they did. But… in this situation, the authenticity of the communication matters a great deal, and on that front, Capital One did themselves a big disservice.

“Like all too many responses to crises of many kinds, Fairbanks’ comment on the breach reads as overly formal and inauthentic,” Ariel Robinson, a cybersecurity consultant and Senior Policy Strategist at Smooth Sailing Solutions, said. “‘Deeply sorry’ from a CEO post-breach—and make no mistake, this was a data breach, not just an ‘incident’—is the equivalent of politicians’ ‘thoughts and prayers.’”

It’s hardly unusual for a company to fail at this type of communication. Authenticity is hard, especially when you’re talking about a failure – most especially when you don’t think of the failure as really being your fault. But it’s absolutely critical, because this is the part that people see and remember.

As of this writing, Capital One’s stock price is down just under 6% from the price immediately before the breach announcement. Now, long term, that isn’t going to last; the fundamental issues on this incident are clear and in the bank’s favor, I think it’s highly unlikely there will be any kind of long-term repercussions or lasting damage.

But how much of that 6% could have been avoided with a better announcement? One that wasn’t quite so stilted, one that did a better job of celebrating the positives and laying uncertainties to rest? How would you do, given the same set of circumstances?

Email addresses and detailed personal information about not just Evite users, but people Evite users had sent invitations to – stored in a database archive since at least 2013.

These are the kinds of issues that come to mind when we suggest you need to think about data retention schedules and the value of personal information your organization has collected. Because six years down the road, I doubt that information really had much commercial value for Evite – but it’s certainly a liability now.

When Governor Brown signed the California Consumer Privacy Act of 2018 (CCPA), it marked a significant change in the way US businesses need to look at privacy. Companies operating internationally were already rethinking their strategies based on the European Union’s General Data Protection Regulation (GDPR), but CCPA brought the issue home for any company doing business with California residents.

One issue that attracted attention in those early days was employee data. Many thought the issue was resolved with Assembly Bill 25, which modified the CCPA to give businesses an exemption for personal data relating to employees. In recent days, however, the California Senate Judiciary Committee has modified the language of the Bill, limiting the exemptions to exclude the requirements for notification of data collection and use, and preserving employees’ right to private action, including participation in class action. Perhaps more importantly, the remaining exemptions are now temporary, with the exemptions expiring on January 1, 2021.

Now, it’s possible that things will change yet again, but realistically this version of the amendment or something very like it is probably the final word on employee data. Organizations need to be thinking now about how they collect, store, and use data on their employees and how to clearly disclose that information. What’s more, they’ll need to have a comprehensive employee privacy program within the following year.

Sound difficult? It doesn’t have to be. Start by building an inventory of how you collect and store personal information, for your employees and, while you’re at it, consider your customers, suppliers, sales leads, etc. as well. It helps to build out data flow diagrams or maps of this information so you can really get a good picture of what’s going on.

Then, for each of those data flows, think about its value. Why are you collecting it? Where do you keep it? What do you need it for? How long should you hang on to it? Who can access it, when, and what are they using it for? The answers to these questions can be complex, especially if you’ve never considered things from this aspect before, but if you begin the process now, you’ve got time to work it out.

Based on the answers, you’ll need to create policies and notifications, maybe change processes, and certainly train people in the changes. It can be a lot of work, but your customers and your employees will appreciate the visible evidence that you’re taking their privacy and security seriously.

An effective privacy program doesn’t have to be a burden on the organization or its management, especially if it actively encourages and supports the active involvement of its employees. An employee privacy program isn’t just a requirement – it’s also a great springboard for the kind of program you need to help make all of your privacy efforts more effective.

How is your organization going to adjust to the new privacy regulations? Talk to us at Smooth Sailing – we’ll be glad to help you work out a strategy.

]]>581Management Accepts the Risk: a Tabletop Exercisehttps://rearviewmirror.org/2019/03/management-accepts-the-risk-a-tabletop-exercise/
Wed, 13 Mar 2019 23:35:23 +0000https://smoothsailingsolutions.com/?p=425On March 6 2019, we hosted a tabletop exercise at Sword & Shield CyberCONNECT in Portland, Oregon. Most information security practitioners have either conducted or participated in a tabletop at some point, but this one is a bit different. Rather than testing or introducing incident response, it’s about practicing Risk Management in a real-world setting.

We divided the audience up into teams of about seven participants, with a range of experience from technical engineers to executives. The goal is for each team to collaborate on their strategy and approach to the exercise, sharing experience and perspectives they might not hear in their daily work.

Setup

Each team is given a budget planning scorecard, a short background on their company, and 10 Resource Coins [RCs] as their starting budget. RCs are an abstraction intended to represent budget dollars, time, headcount, executive attention, etc.

The Budget scorecard is divided into five main categories, plus a Reserves account. The team allocates their RCs according to their agreed-upon strategies and these rules:

Production – this represents the product lines of the company, including product design, manufacture, sales and marketing, etc. The company must have a minimum of 1 RC allocated to production.

Insurance – in the abstract world of our exercise, you only need one policy to cover your needs. The minimum coverage costs 1 RC and would cover a loss of 2 to 5 RCs, depending on the type of claim.

Operations – investment here represents incident response and support. There’s no minimum requirement. All overhead functions are assumed to be covered in a basic budget, and the decisions here are about improving – or forgoing – the business’s ability to respond to disruptions in production.

GRC – this represents investment in compliance and policy functions. In our simulation this mostly impacts regulatory actions and related incidents. Investment here can’t prevent incidents, but it does reduce the fallout associated with regulation and compliance issues.

Process – investment here is time, money, and energy spent on improving processes in the company. It has no impact on production, incident response, or anything else in normal operations, but it earns “Advantage Coins” to make future budget allocations more effective.

Reserves – teams can leave some RCs unbudgeted for later use. We’ll cover why they might in the next section.

Through the Years

Each year of the scenario is run as four quarters. In each quarter, a randomly selected event occurs.

Most frequent are News events; they may affect future events, but they don’t have an immediate impact on the company.

Market events will impact the company this year in some way, most often by affecting Production results positively or negatively.

Finally, Crisis events are emergency situations. More on those later.

After each event, the teams have time to make changes to their budget, but they don’t get a lot of time. Events move fast, both in real life and the simulation. Budget changes have three restrictions:

First, no budget changes are allowed during a Crisis. It’s too late to adjust and prepare, and teams have to go with what they’ve got.

Second, teams can’t move RCs out of the Insurance category, although they can add to it.

Finally, any move of RCs from one category to another incurs a 1 RC penalty from Production. The exception is moving RCs from Reserves, which skips the penalty. See? Told you there was a reason to do that.

At the end of the year, based on Market events (and some rolls of the dice), the teams make revenue based on their Production RC allocations. Money spent on Insurance goes away. Advantage Coins are allocated according to Process development investment, with the highest-investing team gaining the most.

And then we do it again… for four to five rounds, which is enough to get into a rhythm and see how strategies are playing out.

Crisis!

Crisis events fall into a few different categories, but all of them have a severity (small, medium, large, or catastrophic) and threaten Production. Based on the event scenario and a roll of the dice, the event does a certain amount of “damage” ranging from 1 to 20 RCs.

But all is not lost! GRC and Operations spending can mitigate or eliminate these losses, depending on the type of incident. A data breach, for example, is mostly affected by GRC spending, while a natural disaster is mostly affected by Operations spending. If these aren’t enough to completely eliminate the impact of the crisis, well, that’s what the teams have Insurance for… they hope. See, if they had a data breach – and didn’t have any GRC spending – the insurance company isn’t going to pay out much for that, whereas disaster coverage would be paid out in full.

And if that’s not enough to cover the loss? Well, then they have to cover the rest from their Production funds or Reserves, and if necessary take out a loan they’ll be paying off for the rest of the game.

There can be other long-term effects, too. If there’s a data breach event without enough GRC spending, for example, the company is going to be hit with a regulatory fine and have mandated spending in GRC for the rest of the game.

And the Winner Is…

Who wins? Well, you might choose to have a prize for the highest-performing company, but it’s worth debating what that means.

Does a company “win” for gambling on Production spending and hoping there’s no crisis event? For suffering the least damages? Or, is the real prize the fresh perspective gained from going through this type of exercise and having the chance to look at the big picture?

The exercise allows people to experience strategy decisions as a whole-company, long-term thing. To see the environment in which a company might operate, have to make risk management decisions with imperfect data and inadequate resources, and watch how those decisions play out in time.

]]>425Experiments with Fountains: First Roundhttps://rearviewmirror.org/2018/08/experiments-with-fountains-first-round/
Mon, 27 Aug 2018 01:41:33 +0000https://rearviewmirror.org/?p=238I decided I wanted to try making some desk-size fountains in the pottery studio. I started with a nice, simple, basic design, essentially an overflowing vase in a basin:
In the kitchen with towels and sink rather than photo tent… because we learn from earlier mistakes, boys and girls. (Click for a 10-second video on YouTube.)

So, as with any first round prototype, this isn’t perfect. But it’s not bad, either. Here’s what went right:

The glazing is almost exactly the mossy-rock-water effect I was aiming to achieve.

And here’s the list of what doesn’t quite work:

The reservoir of the basin isn’t big enough relative to the volume of the vase. When the pump shuts off, and the water backflows into the reservoir, it overflows the basin.

The pump is too loud. It’s rated at 35-40 db, but it’s still very clearly audible. I can (a) search for quieter pumps, (b) look into isolating the sound of the pump better, or (c) both.

My vase started with deep channels winding around the body of the vase, and I wanted the water to flow over those to create splashing bubbling sound. When I glazed the pot, though, the glaze nearly filled in the channels and they don’t really work as intended.

I have some ideas for working with this fountain as-is to address these issues at least in part, and I’ll post about those later when I’ve had a chance to flesh out the details a bit. In the meantime… on to fountain number two!

Bubble, bubble, toil and trouble… (Click for short video on YouTube)

This one is larger, and the volume of the basin is large enough to hold all the water of the fountain. But it has its own set of issue – when it’s running, some water splashes out of the fountain entirely. I have some ideas for that problem, too.

]]>238New pottery pieceshttps://rearviewmirror.org/2018/08/new-pottery-pieces/
Wed, 15 Aug 2018 18:55:29 +0000https://rearviewmirror.org/?p=229I’ve been experimenting with refining techniques, shapes, and my personal style, and haven’t posted much lately of my progress. But I’ve made some! By my personal definitions, the levels of my progress as a potter have progressed through these stages:

“Coulda been done by a gifted 5 year old”

“Hey, that’s actually usable!”

“The flaws are mostly things you could call character!”

“The work of a talented middle school art student”

And the latest stage,

“Plausible Pier 1 Knock-off!”

Thank you, thank you, hold the applause please.

6″ vase inspired by a 18th century inkpotStoneware clay, glazed with Tenmoku and gold wash

This one below is a little different – I threw the pot, but my friend Holly glazed it for me, and I don’t know exactly what she did. But it’s a very nice overall effect.